Back
How to Stop / shutdown iSQL*Plus
This short article shows how you can disable / shutdown / stop iSQL*Plus in Oracle. This web based version of SQL*Plus
has been available since version 8iR3 (8.1.7) and is a useful tool but there are a few known security issues with its
use in a production environment. Because it uses internet techniques to access the database you should be carful with
its use. The SANS step-by-step guide has some details on securing iSQL*plus. These are also covered in the SANS S.C.O.R.E
document and the CISecurity Oracle benchmark - both are based on the SANS step-by-step and can be found here
For instance just in Feb 2004 a new CSS exploit has been made public on the Oracle security alerts website using
this tool as the example.
Here is how to disable iSQL*Plus:
on Windows you will find the file %ORACLE_HOME%\Apache\Apache\conf\oracle_apache.conf and then comment out the following line:
Save the file and then restart Apache and iSQL*Plus will no longer work. This can be done from =>
Start -> Settings -> Control Panel -> Administrative Tools -> Services and then locate the Oracle HTTP server - for instance on
my Oracle 9iR2 Personal Oracle its called "OracleOraHome90HTTPServer" - It may be different on your system. Simply click on the restart
link to the left of the screen.
On Unix the file name is the same and in the same location but use $ORACLE_HOME instead of %ORACLE_HOME%. Also to restart apache on Unix
use the apachectl script with start and stop commands.
Finally you can test if iSQL*Plus is indeed disabled by going to http://
#
#include "C:\oracle\ora90\sqlplus\admin\isqlplus.conf"
#
Back